I have set the following password policy [\sa-zA-Z0-9]{10,30}$ in WSO2 IS in Identity Provider->Resident->Password Policies->Password Patterns.
I have added the \s to support the white spaces but I get an error when trying to add a password with a white spaced within it.
Caused by: org.wso2.carbon.user.core.UserStoreException: 30003 - Credential is not valid. Credential must be a non null string with following format, ^[\S]{5,30}$
I use WSO2 IS 5.9.
Do I have to set any other special characters in the regular expression or to do additional configuration in WSO2 IS?
There is a regex validation at the user-store level too. You can change them by adding the following config to the deployment.toml and restart the server.
(Note: If [user_store] is already defined in the deployment.toml add these configs under the same tag)
[user_store]
password_java_regex="^[\\sa-zA-Z0-9]{10,30}$"
password_java_script_regex="^[\\sa-zA-Z0-9]{10,30}$"
Once the server gets restarted you can see the modified values of PasswordJavaRegEx (regex for backend validation in userstore level) and PasswordJavaScriptRegEx (regex for UI validation) in <wso2is>/repository/conf/user-mgt.xml file.
Related
Source : https://lms.wso2.com/courses/take/wso2-identity-server-fundamentals-v5-11/pdfs/22647862-practical-exercise-user-management
After following "LAB02 : User self-registration via my account" as mentioned in the source, I get the error mentioned in the screenshot and also corresponding deployment.toml can be seen in the screenshot. How to fix this error?
As per the ERROR traces in your terminal, your deployment.toml file contains some keys more than once.
eg: ERROR {org.wso2.config.mapper.TomlParser} - server previously defined at line 1, column 1 (line 79, column 1) means [server] configs are in the deployment.toml at line 1 and line 79.
You can't define the same key (eg: [server]) more than once in the deployment.toml file.
Check other ERRORs and remove the redundant configs.
You can find more details about toml configs by:
https://www.youtube.com/watch?v=BRWvtcV1T94&t=695s
https://www.youtube.com/watch?v=-WqZhUoK77I
Thanks Anuradha.
The above error message comes from Docker.
To keep things simple :
Today, I installed WSO2 in Windows.
Disable two factor authentication in GMAIL.
Enabled less secure app in GMAIL.
The source documentation worked as it is.
I am trying to set up WSO2 Identity Server behind a reverse proxy for SSL offloading. For example, let's say if WSO2 IS is available at say https://<some-ip>:9443/, I am trying to put it behind reverse proxy with address such as https://<domain name>/is/. Note the context path /is and SSL port 443. I thought that this will be trivial enough but sadly I am unable to find any conclusive documentation for achieving the same.
My applications are using OIDC to connect to WSO2 IS and using Azure Application Gateway as reverse proxy - typically all API calls works well but neither of UI (or flows involving redirections) works due to context. I can also fix redirects by URL rewriting at reverse proxy but that still doesn't solve problems. For example, login page will appear but XHR call from the same will go to /logincontext instead of /is/logincontext. Where can I set up the proxy context path in WSO2 IS? I already tried setting the same in .toml file (equivalent of setting it in carbon.xml) but it seems to be affecting only Management Portal.
WSo2 IS documentation talks about setting it up behind ngnix but that documentation is not using any path context. I could find reverse proxy documentation for other WSO2 product such as WSO2 API Manager but it only involves updating carbon.xml and that doesn't work for WSO2 IS. I am not a java person and hence, finding it difficult to figure out web app organization of WSO2.
Any help/link to documentation/guide to set up with proxy context will be useful.
I know that this answer comes a little bit late but recently I had a similar issue and here it is how I made it work, maybe it could be helpful for someone. I was using WSO2 IS 5.11.0.
Note:
I checked similar questions on stackoverflow and found a few but none was enough by itself for my case.
Maybe the solution I came up with is not the best or the most correct but it is the only one I could make work.
Here's how I did, assuming the context path is is:
Open Carbon Management Console and go to Identity Providers -> Resident. Then, go to Inbound Authentication Configuration -> OAuth2/OpenID Connect Configuration. Here, change the hostname under Identity Provider Entity ID to https://domain_name:443/is/<remaining path>.
Make sure that the port number is present or absent both here and in the client application. If there is a mismatch between the two, for some reason, it won't work (or at least it didn't for me).
Open the file deployment.toml and modify it as follows:
under the [server] section, add your proxy context at the end of the base_path url, e.g. base_path = "https://$ref{server.hostname}:${carbon.management.port}/is";
of course, also add proxy_context_path = "is" (actually, this last line should be enough but for some reason in my case it wasn't, so I had to modify the base path too);
under [transport.https.properties] add proxyPort="443".
For the record, I also turned off compression, by adding:
[transport.http.properties]
compression="off"
[transport.https.properties]
...
compression="off"
and set the token issuer URL equal to the entity id set up in Carbon, with:
[oauth]
use_entityid_as_issuer_in_oidc_discovery = true
but found out that these last two steps (turning off compression and setting the entity id as issuer) weren't needed.
Disable the csrf guard by setting org.owasp.csrfguard.Enabled = false
in the file /repository/resources/conf/templates/repository/conf/security/Owasp.CsrfGuard.Carbon.properties.j2.
This step was necessary for me to avoid the 403 Error after logging in on the Carbon Console (turning off compression didn't work).
Lastly, if you use nginx as reverse proxy (as I did), add these two lines in the location used for wso2:
proxy_redirect https://domain_name/oauth2/ https://domain_name/is/oauth2/;
proxy_redirect https://domain_name/carbon/ https://domain_name/is/carbon/;
These are needed (or at least were for me) because some URLs are not under the context path. In particular, the last one allows you to open the Carbon Console at https://domain_name/is/carbon/.
References:
wso2 api manger carbon page gives 403 Forbidden
WSO2 Identity Server login returns a 403
WSO2 Identity Server port configuration
To understand the template-based configuration model adopted from version 5.9.0 onwards, see:
https://apim.docs.wso2.com/en/latest/reference/understanding-the-new-configuration-model/
https://mcvidanagama.medium.com/understand-wso2-api-managers-new-configuration-model-6425a2710faa
Here are some useful configuration mappings from the old xml to the new toml based model:
https://github.com/ayshsandu/samples/tree/master/config-mapping
I am currently trying to secure our backup server and it's interface as it currently does not have any kind of (extra) security other than a strong password. The backup server is based on CentOS 7.x.
Log file location:
/var/log/backup
Log file names:
backuplog-2019310.log
backuplog-2019309.log
backuplog-2019308.log
backuplog-2019307.log
False logins are logged like:
[2019-11-06T13:13:33+01:00] [Audit] Web login failure for account 'admin': Invalid authentication (Address=200.100.150.50:28534)
[2019-11-06T13:13:34+01:00] [Audit] Web login failure for account 'test': Invalid authentication (Address=120.30.40.20:28534)
[2019-11-06T13:13:35+01:00] [Audit] Web login failure for account 'info': Invalid authentication (Address=85.80.75.70:28534)
[2019-11-06T13:13:35+01:00] [Audit] Web login failure for account 'user': Invalid authentication (Address=25.125.155.190:28534)
In /etc/fail2ban/jail.local:
[backup]
enabled = true
filter = backup
logpath = /var/log/backup/backuplog-*.log
port = 80,443
The use of the asterisk in there is allowed, right?
So far I understand it correctly, I hope.
However I am experiencing issues with creating a correct filter for this custom fail2ban ban rule (= filter).
Example of /etc/fail2ban/filter.d/backup.conf:
[Definition]
failregex = [[]Web login failure for account []] .* Invalid authentication
ignoreregex =
But it's not working. So I am guessing my failregex is incorrect? Maybe someone can advice me the correct failregex to apply to make it work?
I am receiving the following error messages when starting up fail2ban:
ERROR NOK: ("No 'host' group in '[[]Web login failure for account []] .* Invalid authentication'",)
So I am guessing the failregex is incorrect?
//update 1 - STILL ISSUES + ADDITIONAL QUESTION
Fooled around a bit more. This is the updated failregex:
failregex = [][] Web login failure for account .* <HOST>
Now I am not getting the "ERROR NOK" anymore, however it's still not working. This is the fail2ban log:
2019-11-06 14:44:39,111 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
2019-11-06 14:44:41,706 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
2019-11-06 14:44:42,082 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
2019-11-06 14:44:42,623 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
So what am I doing wrong here?
Also, coming to think of it, I think using "/var/log/backup/backuplog-*.log" is not that great. Especially when more and more log files are created. Right?
Is there a way to target the current or latest log file e.g. backuplog-2019310.log?
Thanks in advance.
In the meantime I will fool around a bit more.
//update 2 - MAIN ISSUE SOLVED!!
I guess I solved it by using the following failregex:
failregex = Invalid authentication \(Address=<HOST>
Will see if I can make it somewhat better obviously. But it's a great start for me.
So maybe someone can help me with the issue in regards to the log file as mentioned above. For easier reading I will ask it here again:
Also, coming to think of it, I think using
"/var/log/backup/backuplog-*.log" is not that great. Especially when
more and more log files are created. Right?
Is there a way to target the current or latest log file e.g.
backuplog-2019310.log?
Maybe someone has a solution for this?
Thank you in advance.
As for regex, it is always better to use anchored RE's, so either at end:
failregex = Invalid authentication \(Address=<HOST>\)\s*$
or at begin:
failregex = ^\[\] \[Audit\] Web login failure for account '[^']+': Invalid authentication \(Address=<HOST>
And disable usedns for this jail if no hostnames in log are expected (or use <ADDR> instead of <HOST> if f2b >= v.0.10).
As for current (latest) log file, simply create a symlink in postrotate (see https://stackoverflow.com/a/58430149/7161854).
I'm referring the "Scalable Traffic Manager Deployment Patterns for WSO2 API Manager - Part 1" article and it contains the following configuration for the jndi.properties file
connectionfactory.TopicConnectionFactory = amqp://admin:admin#clientid/carbon?brokerlist='tcp://localhost:5673'
connectionfactory.QueueConnectionFactory = amqp://admin:admin#clientID/test?brokerlist='tcp://localhost:5673'
What is this /test url does and should it need to be modified?
Here actually what we need to add is the first line. Second line was there in default jndi.properties file. So you can safely ignore second line as you will need to add only first line to existing file.
Thanks,
sanjeewa.
Trying to setup custom properties using the Sitecore AD Module. Have done the steps provided in Chapter 3 of the Ad Module - Admin Guide, but keep getting stuck with the error below. Wondering if anyone has successfully set this up with Sitecore 8?
Error: Provider name cannot be null or empty when adding the line below to the web config.
add name="ad" type="LightLDAP.SitecoreADMembershipProvider" connectionStringName="portalConn"
applicationName="sitecore" minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0"
requiresQuestionAndAnswer="false" requiresUniqueEmail="false" connectionUsername="UserName"
connectionPassword="***" connectionProtection="Secure" attributeMapUsername="sAMAccountName" enableSearchMethods="true"
Connection String:
add name="portalConn" connectionString="LDAP://ADServer/OU=Portal,DC=Dev,DC=Com"
I had a similar situation and the suggestions from this post helped me fix it:
http://techitpro.com/active-directory-module-sitecore/
ERROR: Provider name cannot be null or empty.
The yellow screen of death appears in case you have not mentioned Full Qualified Domain Name (FQDN) in the connectionstrings.config file for your LDAP location. Ensure that LDAP connectionstring contains FQDN with port as well.
You might face same error in case if you are not using correct username and password to access your domain. So check the username and password supplied in the provider setting are correct, not locked out or not expired.